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AMENDMENTS TO THE SPECIFICATION : 

Please replace paragraph [0012] with the following amended paragraph: 

[ 0012 ] It is therefore an important object of th e pr e s e nt inv e ntion at this stage to provide t he 
provision of means and methods for allowing an effective authentication mechanism of WEAN 
users as well as a complete encryption mechanism throughout the whole communication path 
starting from the Terminal Equipment of said users. 



Please replace paragraph [0022] with the following amended paragraph: 

[ 0022 ] In this respect, it is an object of th e pr e s e nt inv e ntion th e achi e v e m e nt o f to achieve a 
much higher security level allowing the operator to choose an encryption algorithm that better 
suit e s suits their security needs. Notice that there is usually a trade-off between security level and 
performance. Therefore, additional features like supporting keys with a length of 128, 168, 256 
bits, etc.; as well as supporting the latest most secure algorithms, like AES for instance, and a 
key rotation procedure may be considered a 



Please replace paragraph [0023] with the following amended paragraph: 

[ 0023 ] Moreover, in accordance with this application above, US 2002/0009199, the encrypted 
path goes from the Mobile Terminal to the AP, since WEP is only applicable to the radio path. In 
this respect, the support for an encryption path to be established beyond the AP, and covering 
also the wired part of the WLAN, is a f 
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Please replace paragraph [0024] with the following amended paragraph: 

[0024] Eurthermore, US 2002/0009199 teaches that the assignment of an IP address is done 
before running the authentication process, and hence, a malicious user can potentially initiate a 
whole set of well-known attacks. However, if a user ha d has no means to get IP connectivity 
before having been effectively authenticated, the risk would decrease greatly. Thereby, it is a 
further object of the present invention the provision of to provide an authentication mechanism 
for a user to be carried out before giving IP connectivity to said user. 

Please replace paragraph [0026] with the following amended paragraph: 

[0026] In summary, an important object of the present invention is the provision of a to provide 
system, means and methods for allowing an effective SIM-based user authentication and for 
establishing a complete encryption path, starting from the TE, for WLAN users who are 
subscribers of a public land mobile network. Another particularly important object is that this 
SIM -based user authentication might be performed before giving IP connectivity to said user. 

Please replace paragraph [0027] with the following amended paragraph: 

[0027] A further object of th e pr e s e nt inv e ntion is th e support o f supporting keys of variable 
length, the use of security algorithms at operator choice, and providing p rovision of a key 
rotation procedure. 

Please replace paragraph [0028] with the following amended paragraph: 

[0028] A still further object of th e pr e s e nt inv e ntion is th e achi e v e m e nt o f to achieve the 
previous objects with a minimum impact on conventional WLAN scenarios. 
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Please replace paragraph [0029] with the following amended paragraph: 

[0029] The objects of the invention are achieved with a method for allowing a SIM -based 
authentication to users of a wireless local area network who are subscribers of a public land 
mobile network by means of a data link layer (layer-2) authentication mechanism. An important 
aspect of this method is that the IP connectivity is only provided to the user when the 
authentication process has been successfully completed. 

Please replace paragraph [0030] with the following amended paragraph: 

[0030] The objects of th e inv e ntion are thus achieved with a method wherein a wireless terminal 
finds an accessible Access Point and requests association to the wireless local area network, and 
the Access Point accepts the request for that. The wireless terminal then initiates the discovering 
of an Access Controller interposed between the Access Point and the public land mobile 
network. 

Please replace paragraph [0037] with the following amended paragraph: 

[0037] Also for accomplishing the objects of th e pr e s e nt inv e ntion there is provided an Access 
Controller that comprises a Point-to-Point server residing at an OSI layer-2 for communicating 
with the wireless terminal; and an authentication protocol residing at an OSI application layer for 
communicating with the public land mobile network. Moreover, this Access Controller further 
comprises means for shifting the information received on top of the Point-to-Point layer-2 
protocol upwards to an appropriate authentication protocol residing at application layer. 
Eikewise, the Access Controller also comprises means for shifting the information received on 
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the authentication protocol residing at application layer downwards on top of the Point-to-Point 
layer 2 protocol. 

Please replace paragraph [0038] with the following amended paragraph: 

[0038] In order to feUy accomplish the objects of the invention , it is also provided a wireless 
terminal comprising functionality for acting as a Point-to-Point layer 2 protocol client and having 
an Extensible Authentication Protocol on top of this Point-to-Point layer 2 protocol. 

Please replace paragraph [0039] with the following amended paragraph: 

[0039] Th e In one aspect, an overall solution provided by the invention results in a 
telecommunication system comprising a wireless local area network that includes at least one 
Access Point, a public land mobile network, at least one wireless terminal as above, and the 
Access Controller above. 

Please replace paragraph [0041] with the following amended paragraph: 

[0041] PIG. 1 represents an a - pr e f e rr e d -embodiment of how a user of a conventional mobile 
network accessing through a WLAN, which can be accessed by mobile and non-mobile users, 
may be authenticated by his own mobile network and may have an encrypted path from the TE 
to his own mobile network. 

Please replace paragraph [0045] with the following amended paragraph: 

[0045] The following describes curr e ntly pr e f e rr e d embodiments of means, methods and system 
for allowing an effective SIM-based user authentication and for establishing a complete 
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encryption path starting from the TE for WLAN users who are subscribers of a public land 
mobile network. In accordance with an aspec t of the present invention , this SIM-based user 
authentication is performed before having given IP connectivity to said user. 

Please replace paragraph [0046] with the following amended paragraph: 

[0046] Therefore, an overall sketch of a preferred embodiment is presented in EIG. 1, showing a 
general scenario where subscribers of a public land mobile network (GSM/GPRS/UMTS), as 
well as other local non-mobile users, access a wireless local area network (WLAN). This 
general scenario in FIG. 1 proposes a particularly simple architecture aimed to minimise the 
impacts on an existing conventional WLAN in order to accomplish one or more of the stated 
objects of th e pr e s e nt invention . This rather simple architecture involves different entities from a 
WLAN and from a public land mobile network, which are described following this. Moreover, 
Fig. 2 presents an even more simplified architecture in accordance with another embodiment ef 
th e pr e s e nt inv e ntion for a WLAN giving access only to subscribers of a public land mobile 
network and without local WLAN users. 

Please replace paragraph [0049] with the following amended paragraph: 

[0049] Other entities in the scenarios in Fig. 1 and 2 are the Access Points that behave as plain 
standard radio stations according to the standard 802.1 lb, without any additional logic. Unlike 
other possible solutions, as explained in respect of the coming standard 802. lx, the approach 
offered by the one or more embodiments p r e s e nt inv e ntion allows the reuse of the cheap existing 
hardware instead of having to replace or upgrade all AP’s present in the WLAN. These 
unchanged AP's might run in this scenario with WEP support turned off, since such WEP offers 
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by itself a little security compared to the security mechanisms that are implemented on top of the 
PPPoE layer. 

Please replace paragraph [0050] with the following amended paragraph: 

[0050] In accordance with an aspect of the present invention , there is provided a new entity, the 
Access Controller (hereinafter referred to as AC) in both Fig. 1 and 2 that comprises the required 
PPPOE server functionality. This PPPoE server is automatically discovered by the Terminal 
Equipment (TE), by means of a built-in mechanism in the PPPoE protocol, namely through a 
handshake initiated by a broadcast message. This Access Controller (AC) also comprises a 
RADIUS client functionality that has the responsibility of gathering client credentials, received 
through EAP attributes carried on top of a PPP, and sending them toward a conventional WLAN 
Authentication Server (WLAN-AS), also through EAP attributes carried now on top of RADIUS 
messages. A component like this Access Controller (AC) is also a core part for the purpose of 
the pr e s e nt solution one or more embodiments . 

Please replace paragraph [0052] with the following amended paragraph: 

[0052] A further entity present only in the most general scenario shown in Fig. 1 is a WLAN- 
Authentication Server (WLAN-AS) that implements the functionality of a local authenticator 
server for local WLAN users, not belonging to the mobile operator, and who may be thus 
authenticated by other means such as a plain user and password matching. This WLAN-AS also 
plays the role of a RADIUS proxy, when receiving authentication messages from the Access 
Controller and forwards, them toward an Authentication Gateway (hereinafter referred to as AG) 
in the public land mobile network operator’s domain. 
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Please replace paragraph [0053] with the following amended paragraph: 

[0053] The WEAN-AS is only required for the purpose of the present invention in order 
functions to authenticate own WLAN users who are not mobile subscribers of the public land 
mobile network. Consequently, a WLAN intended for giving access only to subscribers of a 
mobile network may get rid of such entity without affecting the authentication of said mobile 
subscribers and the establishment of an encrypted pat h, scope of the present invention . In this 
respect. Fig. 2 presents an embodiment of a simplified architecture for a WLAN giving access 
only to subscribers of a public land mobile network as explained above wherein the WLAN-AS 
is thus not included. 

Please replace paragraph [0055] with the following amended paragraph: 

[0055] In short, the Access Controller, the aforementioned PPPoE client, which is embedded in 
the Terminal Equipment, and this Authentication Gateway are the eei=e entities included in one or 
more embodiments, for th e purpos e of th e pr e s e nt inv e ntion. The particular description for the 
functions residing in such entities is merely illustrative and in non-restrictive manner. 

Please replace paragraph [0057] with the following amended paragraph: 

[0057] On the other hand, the manner in which the different elements carry out some aspects of 
the pr e s e nt inv e ntion accordingly with curr e ntly pr e f e rr e d one or more embodiments is described 
below with reference to the sequence of actions depicted in Fig. 4. 
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